Merge pull request #2164 from merlokk/gen4_chpasswd

add change password command
2025-08-21 05:43:48 -07:00 · 2023-11-06 15:57:35 +02:00 · 2023-11-06 15:57:35 +02:00 · 86085dc386
commit 86085dc386
parent 9a05e8bbd6 f2110c11ae
4 changed files with 67 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+ - Added `hf mf gchpwd` command for change Gen4 GTU card access password (@merlokk)
 - Added `--ms` option in `hw status` to specify the timeout of connection speed test (@wh201906)
 - Added `hf mf ginfo` command for get info about Gen4 GTU configuration (@merlokk)
 - Added support for loading Flipper PICOPASS dump files (@iceman1001)
--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@ -8229,6 +8229,54 @@ static int CmdHF14AGen4Save(const char *Cmd) {
    return PM3_SUCCESS;
 }

+// change Gent4 GTU card access password
+static int CmdHF14AGen4ChangePwd(const char *Cmd) {
+
+    CLIParserContext *ctx;
+    CLIParserInit(&ctx, "hf mf gchpwd",
+                  "Change access password for Gen4 GTU card. WARNING! If you dont KNOW the password - you CAN'T access it!!!",
+                  "hf mf gchpwd --pwd 00000000 --newpwd 01020304"
+                 );
+    void *argtable[] = {
+        arg_param_begin,
+        arg_str0("p", "pwd", "<hex>", "password 4 bytes"),
+        arg_str0("n", "newpwd", "<hex>", "new password 4 bytes"),
+        arg_lit0("v", "verbose", "verbose output"),
+        arg_param_end
+    };
+    CLIExecWithReturn(ctx, Cmd, argtable, false);
+
+    int pwd_len = 0;
+    uint8_t pwd[4] = {0};
+    CLIGetHexWithReturn(ctx, 1, pwd, &pwd_len);
+
+    int new_pwd_len = 0;
+    uint8_t new_pwd[4] = {0};
+    CLIGetHexWithReturn(ctx, 2, new_pwd, &new_pwd_len);
+
+    bool verbose = arg_get_lit(ctx, 3);
+
+    if (pwd_len != 4) {
+        PrintAndLogEx(FAILED, "Old password must be 4 bytes long, got " _YELLOW_("%u"), pwd_len);
+        return PM3_EINVARG;
+    }
+
+    if (new_pwd_len != 4) {
+        PrintAndLogEx(FAILED, "New password must be 4 bytes long, got " _YELLOW_("%u"), new_pwd_len);
+        return PM3_EINVARG;
+    }
+
+    int res = mfG4ChangePassword(pwd, new_pwd, verbose);
+    if (res != PM3_SUCCESS) {
+        PrintAndLogEx(ERROR, "Change password error");
+        return res;
+    }
+
+    PrintAndLogEx(SUCCESS, "Change password done successfully.");
+
+    return PM3_SUCCESS;
+}
+
 static int CmdHF14AGen4_GDM_Cfg(const char *Cmd) {
    CLIParserContext *ctx;
    CLIParserInit(&ctx, "hf mf gdmcfg",
@ -8876,6 +8924,7 @@ static command_t CommandTable[] = {
    {"gsave",       CmdHF14AGen4Save,       IfPm3Iso14443a,  "Save dump from card into file or emulator"},
    {"gsetblk",     CmdHF14AGen4SetBlk,     IfPm3Iso14443a,  "Write block to card"},
    {"gview",       CmdHF14AGen4View,       IfPm3Iso14443a,  "View card"},
+    {"gchpwd",      CmdHF14AGen4ChangePwd,  IfPm3Iso14443a,  "Change card access password. Warning!"},
    {"-----------", CmdHelp,                IfPm3Iso14443a,  "-------------------- " _CYAN_("magic gen4 GDM") " --------------------------"},
    {"gdmcfg",      CmdHF14AGen4_GDM_Cfg,   IfPm3Iso14443a,  "Read config block from card"},
    {"gdmsetcfg",   CmdHF14AGen4_GDM_SetCfg, IfPm3Iso14443a, "Write config block to card"},
--- a/client/src/mifare/gen4.c
+++ b/client/src/mifare/gen4.c
@ -145,6 +145,21 @@ int mfG4GetFactoryTest(uint8_t *pwd, uint8_t *data, size_t *datalen, bool verbos
    return PM3_SUCCESS;
 }

+int mfG4ChangePassword(uint8_t *pwd, uint8_t *newpwd, bool verbose) {
+    uint8_t resp[40] = {0};
+    size_t resplen = 0;
+
+    int res = mfG4ExCommand(GEN4_CMD_CHANGE_PASSWORD, pwd, newpwd, 4, resp, &resplen, verbose);
+    if (res != PM3_SUCCESS) {
+        return res;
+    }
+
+    if (resplen != 2 || resp[0] != 0x90 || resp[1] != 0x00)
+        return PM3_EAPDU_FAIL;
+
+    return PM3_SUCCESS;
+}
+
 int mfG4GetBlock(uint8_t *pwd, uint8_t blockno, uint8_t *data, uint8_t workFlags) {
    struct p {
        uint8_t blockno;
--- a/client/src/mifare/gen4.h
+++ b/client/src/mifare/gen4.h
@ -42,4 +42,6 @@ int mfG4GetFactoryTest(uint8_t *pwd, uint8_t *data, size_t *datalen, bool verbos
 int mfG4GetBlock(uint8_t *pwd, uint8_t blockno, uint8_t *data, uint8_t workFlags);
 int mfG4SetBlock(uint8_t *pwd, uint8_t blockno, uint8_t *data, uint8_t workFlags);

+int mfG4ChangePassword(uint8_t *pwd, uint8_t *newpwd, bool verbose);
+
 #endif